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Abstract. Many systems include components interacting with each other 
that evolve with possibly very different speeds. To deal with this situation 
many formal models adopt the abstraction of "zero-time transitions", 
which do not consume time. These however have several drawbacks in 
terms of naturalness and logic consistency, as a system is modeled to 
be in different states at the same time. We propose a novel approach 
that exploits concepts from non-standard analysis to introduce a notion 
of micro- and macro-steps in an extension of the TRIO metric temporal 
logic, called X-TRIO. We use X-TRIO to provide a formal semantics and 
an automated verification technique to Statefiow-like notations used in 
the design of flexible manufacturing systems. 

Keywords: metric temporal logic, formal verification, flexible manufac- 
turing systems, micro- and macro-steps, non-standard analysis 



1 Introduction 



In many approaches to modeling time-dependent systems, each instant of a tem- 
poral domain T is associated with exactly one "state" . This view can come into 
question when a system includes computational components that perform calcu- 
lations whose durations are negligible with respect to the dominant dynamics of 
the system. This occurs typically in embedded systems where some computing 
device, whose dynamics evolve at the pace of microseconds, monitors and con- 
trols an environment whose dynamics is in the order of the seconds. Imagine, for 
example, a controller of a reservoir that takes decisions on resource management 
in a few milliseconds, and actuates them in a few minutes. 

A common abstraction adopted in literature to deal with this situation, one 
that is also widely accepted in the practice of systems development, consists 
in introducing a notion of "zero-time transition" , where a state change occurs 
in such a short time that it can be neglected w.r.t. the other types of system 
evolution. In this view, the system can traverse different states in zero time, thus 
a time instant t can be associated with more than one state (e.g., the controller 
above could be in states "update variables" and "make decision" at the same 
time). Examples of formalisms in which zero-time transitions are allowed are (see 
[9 j): timed Petri nets where transitions can have null firing times; some timed 
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versions of Statecharts whose semantics is defined as a sequence of micro- and 
macro-steps, where only the latter ones advance time; various versions of timed 
or hybrid automata which separate transitions that produce a state change in 
null time from transitions that only make time progress. In some sense these 
notations split time modeling in two separate domains: a logical domain, that 
orders events in terms of their logical precedence (e.g. the controller updates 
the variables before deciding whether to turn a switch on or off) and a physical 
domain over which the t variable ranges. 

The notion of zero-time transition, or micro-step, is a useful abstraction, 
but it inevitably entails some risks from the point of view of naturalness of 
modeling and safe mathematical analysis. Not only the fact that a system can be 
in different states at the same time is counterintuitive from the standpoint of the 
traditional dynamical system view where the state is a function of time, it also 
exposes to the risk of contradictory assertions about system timing properties. In 
[PT] we proposed a natural way to overcome this difficulty through non-standard 
analysis (NSA): the temporal domain is extended by introducing infinitesimals, 
i.e., numbers that are strictly less than any positive standard one. We exploited 
this idea by replacing zero-time transitions with transitions that take a non-null, 
infinitesimal time in the context of our metric temporal logic language TRIO. 

In this paper we further pursue our approach based on adopting a nonstan- 
dard time domain for TRIO to formalize micro- and macro-steps in dynamical 
systems. The key novelty consists of introducing in TRIO the next-time opera- 
tor typical of various temporal logics. Our approach retains the metric view of 
time that is typical of TRIO, but it avoids associating a fixed time distance to 
the next-time operator: the new state defined by it is entered after the current 
one at a time distance that can be a standard positive number, in the case of a 
macro-step, or an infinitesimal one in the case of a micro-step. With this natural 
approach we preserve the intuitive concept that time and system state progress 
"together" , but we also provide a mathematical foundation to support analysis 
and verification at different time scales. 

This extension of TRIO, called X-TRIO, allows us to describe in a natural 
way the formal semantics of -usually semi-formal- notations that are widely 
used in industrial practice, in which zero-time transitions are a key concept. In 
particular, in this paper we focus on the Stateflow notation |19] that is common 
in the design of controllers of manufacturing systems. Besides naturalness and 
generality, however, we pursue the goal of providing fully automated tools sup- 
porting the analysis of the modeled systems. This is achieved by translating a 
decidable fragment of the X-TRIO logic, one that is expressive enough to fully 
capture the semantics of the target notation, into the Prepositional Linear Tem- 
poral Logic with Both future and past operators (PLTLB) that is amenable to 
automated analysis by existing tools such as Zot [22] • 

In the literature, other works [2 14) have used NSA to provide a formal and 
rigorous semantics to timing features of various kinds of notations for system 
modeling. In [2 NSA is used to describe a hybrid system modeled in Simulink, 
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in presence of cascaded mode changes. In |3] , a complete system theory is defined, 
adopting a theoretical approach to investigate computability issues. 

Since the introduction of Statechart (the language on which Stateflow is 
based) several different semantics have been defined for it. The three most clas- 
sical ones, the fixpoint [22], STATEMATE Q3J, and UML semantics, differ in 
the features adopted for step execution, and have been fully analyzed in [5]. In 
the present work we focus on Stateflow because of its widespread use in indus- 
trial settings, but our approach is general enough to be adjusted to any of the 
semantics defined for Statecharts or other state-based formalisms that use the 
abstraction of micro- and macro-steps. 

Notions of zero-time transitions, micro- and macro-steps appear very natu- 
rally when reasoning about computations of embedded systems, so, rather un- 
surprisingly, they arise in real-time temporal logics. Since the very early devel- 
opments in this field, approaches were introduced that admit zero-time transi- 
tions at the price of associating multiple states to single time instants |21j . Our 
approach is akin to that of (17) , which introduces a general framework accomo- 
dating suitable time structures supporting the notion of micro- and macro-steps, 
but does not address issues of decidability and verification. The proposal in [12"] 
provides notations for modeling micro-steps in the framework of Duration Cal- 
culus, which, unlike TRIO, is a logic based on intervals: it defines a decidable 
fragment of the notation but does not give algorithms or build tools supporting 
verification. Other works are only partially connected to ours, as they deal with 
issues concerning the modeling and development of embedded systems at various 
time scales: |15) and |10) deal with issues of sampling and digitization, 5 and 
[7] discuss issues related with time granularity, and [16 provides a refinement 
method based on assume-guarantce induction over different time scales. 

This paper is structured as follows. In Section [5] we define the X-TRIO logic 
and study its relevant properties. Then, in Section [3] we use X-TRIO to provide 
a formal semantics to the Stateflow notation, and we use the translation de- 
fined in Section [3. II to perform automated verification of an example of Flexible 
Manufacturing System. Section 2] concludes and hints at possible extensions and 
enhancements of this work. 

2 The X-TRIO logic 

In this section we introduce the X-TRIO logic. After some necessary background 
we define the syntax and semantics of the language. Then, we study the relevant 
properties of the logic: we show the undecidability of X-TRIO in its general form, 
and we identify a subset whose satisfiability problem can be reduced to that of 
PLTLB, thus providing an effective mechanism to verify X-TRIO models. 

2.1 Background, syntax and semantics of X-TRIO 

The original TRIO language [5] is a general-purpose specification language suit- 
able for modeling real-time systems. It is a temporal logic supporting a metric on 
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time. TRIO formulae are built out of the usual first-order connectives, operators, 
and quantifiers, and the single basic modal operator, Dist: for any formula <f> and 
term t indicating a time distance, the formula Dist(</>, t) specifies that 4> holds at 
a time instant whose distance is exactly t time units from the current instant. 
TRIO formulae can be interpreted both in discrete and dense time domains. 

X-TRIO extends TRIO along two main lines. First, the temporal domain 
T is augmented with infinitesimal numbers (from the theory of non-standard 
analysis founded by A. Robinson |24j ) : intuitively, a number e is infinitesimal 
if e > and e is smaller than any number in 7>o- The original values of T 
are classified as standard and are characterized by predicate st; that is, x is 
standard iff st(x) holds. T is augmented with infinitesimal numbers and all 
numbers resulting from adding and subtracting infinitesimal non-zero numbers 
to and from standard ones. Predicate ns{x) denotes that x is non-standard] for 
each x, st(x) holds if and only if ns(x) does not hold. Notice that is the only 
infinitesimal standard number and that non-standard numbers are of the form 
v ± e, where st(v) holds, and e is infinitesimally greater than 0. Then, NSA 
provides an axiomatization that allows one to apply all arithmetic operations 
and properties of traditional analysis in an intuitive way: for instance the sum 
of two standard numbers is standard, the sum of two infinitesimal numbers is 
an infinitesimal and the sum of an infinitesimal with a standard number is a 
non-standard number. The theory of NSA introduces, in addition to the notion 
of infinitesimal numbers and operations on them, the notion of infinite numbers 
(which are, intuitively, greater than any value in T), plus a rich set of results 
that make NSA an appealing framework for reasoning on both familiar and new 
objects. In this paper we exploit some of the terminology and concepts of NSA 
to provide an elegant characterization of zero-time steps, but we do not make 
use of the full power of the theory; for example, we do not deal with infinite 
numbers (i.e., we have that ns(x) iff a; = v ± e, with st(v) and e infinitesimal), 
as they seem of little use when dealing with zero-time steps. 

We assume E, as the original time domain T. We denote the extension of T 
with infinitesimal numbers as T. T is a totally ordered set of numbers. Throughout 
the paper we focus on subsets of R. In particular, we will consider the IN domain 
of naturals augmented with infinitesimal numbers. 

The second major novelty of X-TRIO is the introduction of the next operator 
X which is typically used to describe the evolution of dynamical systems as 
a sequence of discrete steps. Unlike the traditional use of the operator in a 
metric setting, however, the time distance between two consecutive states is 
not implicitly assumed as a time unit; on the contrary it can be any standard 
or non-standard positive number. Precisely, we introduce two different types of 
X operator, namely X st and X ns . Intuitively, the formula X st (^>) is true in the 
current instant iff <j) is true in the next state entered by the system and this 
occurs at a time instant that is a standard number; conversely, formula X ns (</>) 
is true iff in the next state, <fi is true and the occurrence time is a non-standard 
number. We will use these two operators to distinguish between two typical ways 
of modeling system evolution: X st will formalize macro-steps i.e. transitions that 
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" consume real, tangible time" , whereas X ns will describe micro-steps which are 
often formalized as zero-time transitions. Yesterday operators Y st and Y ns are 
introduced in a similar manner. 

The syntax of X-TRIO is defined as follows: 

4> :=p|-^|fcA0a|Dist(0,AO |X st (<£) |X ns (0) |Y st (0) |Y ns (0) |V*.t 
r := <j> | Dist(0, t) 1 1 = k 1 * < k | n A r 2 | -it 

For the purposes of this paper we restrict the set of atomic propositions 
AP to propositional variables p, and the set V of temporal terms to variables t 
and constants k. Temporal terms t take values in the time domain T and can 
appear only in closed formulae. We leave first-order extensions of the logic to 
future work. Symbols T, _L, V, — )•, 3, etc. are derived as usual. We introduce the 
derived operators of X-TRIO in the same way as in TRIO. The derived temporal 
operators used in this paper are shown in Table [1] 

A model-theoretic semantics for X-TRIO is defined by following a fairly stan- 
dard path on the basis of a temporal structure S = (T, (3, v, a), where: 

— T is the time domain such that Vt G T it is t > 0. 

— j3 : T — s- 2 AP is an interpretation function that associates each instant of 
time t with the set of atomic propositions (3(t) that are true in t. 

— v : V — > T is an evaluation function that associates with each temporal 
term of the set V a value in T. 

— a = {(Ti\i e IN : a t G T Aa = AV? G HNT(j < i => aj < a^AVt E T{a l < t < 
<t,:+i => f3((Ji) = P(t))} is the distinguishing element of X-TRIO temporal 
structure; it is a (possibly infinite) sequence of time instants starting from 
the initial instant 0, called History. Intuitively, it represents the discrete 
sequence of instants when the system changes state; thus, the X operator 
represents a step moving from o~i to cr i+ i. 

Then the satisfaction relation 1= of an X-TRIO formula (f> by structure S = 
(T, j3, v, a) at a time instant i G T is defined as follows: 



OPERATOR DEFINITION 

AlwF(0) Vd(d > -> Dist(& d)) 

SomF(<£) 3d(d > A Dist(< ? !>, d)) 

WithinF(<M) 3d(0 < d < 5 A Dist(^>, d)) 

Until(0, ip) 3d > 0(Dist(^, d) A V«(0 < v < d ->■ Dist(0, v))) 
Since(</>, ip) 3d > 0(Dist(^, -d) A Vw(-d < « < ->■ Dist(^), w))) 



Table 1. X-TRIO derived temporal operators. 
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S,i t=p iSp £ P{i) 

S,i\=^4>itt S,iP </> 

S, i 1= 0i A 4>2 iff S, i \= 4>i and S,i\= <f>2 

S, i \= Dist(0, k) iff i + v(k) £ T and S,i + v(k) 1= 4> 

S, i t= Dist(0, t) iff i + i/(t) £ T and 5", t + u(t) (= 

S 1 , i 1= X st (</>) iff there is j € IN s.t. <jj < i < <Xj+i, st((7j+i) and 5, <Xj+i 1= </> 
S 1 , i 1= X ns (0) iff there is j £ IN s.t. Oj < i < <Tj+i,ns(aj+i) and S, (Tj+i 1= </> 
S,i\= Y s t(4>) iff there is j £ IN s.t. cr 3 -_i < i < <jj, j > 0, st((Tj—i) and S,tJj-i N 
iS, i 1= Y ns (0) iff there is j £ IN s.t. <Jj—\ < i < u 3 ■, j > 0, ns(tjj- i) and S,<jj-i N 
S, i 1= Vd.0 iff for all z/ that differ from v at most for d, (T, f3, v , cr),i (= (j) 

A formula is satisfiable in a structure S = (T, /3, z/, a) when S, t= <j). 

In the rest of the paper, we focus our attention on a fragment of X-TRIO, 
which we name X-TRIO^, that is sufficiently expressive for the purpose of pro- 
viding Statcflow with a formal semantics and that is, under suitable conditions, 
decidable. X-TRIO^ formulae are interpreted on the temporal domain IN+ C R 
which includes exactly all numbers of the form u + fce, where v, k £ IN and e > is 
an infinitesimal constant number fixed a priori. Thus, in 1N + , standard numbers 
are identified by the coefficient k = 0. X-TRIO]^ corresponds to the following 
syntactic fragment of X-TRIO, where e is a constant and NowST is an operator 
with no arguments that is described below: 

(j) :=p\ ~«t>\<t>iA<fo\ Dist(>, 1) | Dist(<£, -1) | Dist(0, e) | 

Until(<^,<fe) |Smce(^,<fe) | X st (</>) |X ns (<£) | NowST 

In this fragment, Dist(</>, 1 + e) is an abbreviation for Dist(Dist(</>, e) , 1), and 
also Dist(0, 2) = Dist(Dist(0, 1) , 1), Dist(0, 2e) = Dist(Dist(>, e) , e), and so on. 
Notice that the Until and Since operators of Table Q] are primitive in X-TRIO^ , 
and we have the usual abbreviations SomF(0) = Until(T, <j>) and AlwF = 
-iSomF (-<</>). As the syntax of X-TRIO^ does not allow for variables, its tempo- 
ral structures become triples of the form S = (T,(3,a). To distinguish between 
standard and non-standard instants, X-TRIO^ introduces operator NowST such 
that S, i N NowST iff st(i). 

The restrictions introduced in X-TRIOj^, however, are not enough to make 
it decidable. In fact, the following holds. 

Theorem 1. The satisfiability problem of the X-TRIO^ logic is undecidable. 

The proof of Theorem [TJ which can be found in IA.11 is by reduction of 
the halting problem of the 2-counter machine. In Section 12.21 we introduce a 
sufficient condition that makes X-TRIO^ decidable, but still expressive enough 
for our purposes. 
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2.2 A decidable fragment of X-TRIO and its encoding in PLTLB 

In this section we show the decidability of X-TRIOj^, under suitable conditions, 
by reducing the satisfiability problem of X-TRIO]^ to that of PLTLB. The encod- 
ing of the transformation has been implemented in the Zot satisfiability checker. 

PLTLB extends classic LTL [25] with past operators; its syntax as it will be 
used in the rest of this paper is the following: 

:= p\ ^0 | 01 A 02 | X L (0) | Y L (0) | 0x U L 2 | 0! S L 2 

The semantics of PLTLB is defined over discrete traces, representing infinite 
evolutions over time of the modeled system. A trace is an infinite word tt = 
7r(0)7r(l) . . . over the finite alphabet S = 2 AP , where each tt(i) represents the 
set of atomic propositions that are true in i. n l denotes the suffix of 7r starting 
from tt(i). We denote the satisfiability relation of PLTLB with Nl- The definition 
of I=l is straightforward if one considers that, for any 0, Yl(0) is false at [25] . 

As a first step to encode X-TRIO^ into PLTLB, we restrict histories a ac- 
cording to the following constraints: 

CI. Either all standard natural numbers, or a bounded interval thereof including 
belong to a. 

C2. If Ui+i is non-standard (ns(o~i+i)), then <x;+i — Ui = e. 

These constraints are not strictly necessary to obtain decidability, but they are 
not overly restrictive and they simplify the encoding for our purposes. Notice 
also that, if (Ti+i is standard (si((7i+i)), then between <7j and <Ji+\ there is an 
infinite sequence of nonstandard numbers <ii + e, <Ji + 2e, . . . such that, for all 
t£i, Pfa + ke) = P(ai). 

To reduce the satisfiability problem of X-TRIO^ (which is in general unde- 
cidable) to that of PLTLB (which is decidable), we need to apply further restric- 
tions to the former. The key to obtain decidability is to make the evaluation of 
this operator meaningful only in standard instants. To this purpose, we use the 
operator NowST, that evaluates to true only in standard instants. To simplify 
the encoding further with a limited cost in expressiveness, we also impose that 
the value of formulae is meaningful only in instants that are "covered" by the 
history a. In fact, by definition of a in Section [2j there can be instants t G T 
such that, for all i, Oi < t. In this case, a shows a classic Zeno behavior, where 
it accumulates at a finite instant, signaling a model that changes state infinitely 
often in a finite interval. Then, by convention, we state that formulae that are 
evaluated after one such accumulation point are false. This can be achieved by 
considering every subformula ip of an X-TRIO^ formula as an abbreviation 
for -0 A SomF(X st (T) VX ns (T)). 

The basic idea of the encoding is, given an X-TRIO^ formula 0, to build 
a corresponding PLTLB formula t/(0) such that each model S = (JN + ,/3, a) of 
corresponds to a trace it that is a model of r/(0) such that every Ui maps 
to an element j of n where /3(t7j) = 7r(j). Then, we represent the transition 
<7i i — > a i+ i through the operator Xl- Constraints IC1I and IC2I guarantee that 
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Tfip) = PL t/ (NowST) = s p r/(Dist(0, 0)) = t } (4>) 

Tfhfi) = ^ T f(4>) Tf{4>i a 4> 2 ) = T f (4>i) a Tf{4> 2 ) 

r f (X ns (<b)) = X L (r / (0) A -* p ) r f (X st (<b)) = X h ((r f (<j>) A s p ) V (/, A Xl fa (</>)))) 

r / (Dist(0, e)) = Xl(t/(0 A ^ Sp ) V (X L (s p ) At/(0)) 

r / (Dist(0, 1)) = X L (^ Sp U L (r/(0) A *„)) 

r / (Dist(0, -1)) = s p A Y L (^s P S L (s p A r/(0))) 

r / (Until(0 ) V))=r / (</»)U L r / W 

T,(Sincefotf)) = 7-/(0) S L (X L (-* P ) A r/ty)) V r/(0) S L (X L ( Sp ) A r/(0) A r/(V)) 
Table 2. Translation schema 77. 



the difference between cr^+i and <7; = v + ke is either 1 — fee or e, depending 
on whether <Ji+i is standard or not. The encoding "flattens" the history a over 
7r: to distinguish between standard and non-standard instants, we introduce a 
PLTLB prepositional letter s p that marks elements of trace tt that correspond to 
a standard instants. We also need to introduce a "filling" element in tt whenever 
in a there are two elements 0$, (Tj +1 that are both standards, i.e. between two 
elements in 7r that are marked as s p (see the proof of Theorem [2] in Appendix 
IA.2l for more details). Filling elements are marked in tt through predicate f p . 

The translation schema 77 of Table [5] transforms an X-TRIOj^ formula <j> into 
an equally satisfiable PLTLB formula <fr L . 

Schema 77 is completed by the assertions (Al) 

s p A G L ((s p -> X L (/ p V -s p )) A (/p (Y L ( S p) A ~^s p A X L (a p )))) (1) 

which imposes that predicate s p holds in 7r(0) and that f p always appears 
between two consecutive s p , and (A2) 

G L (f P ^(A peAP P^YL(p))) (2) 

which states that propositions do not change values between two standard 
instants <Ji and <7j+i. The following result holds (see Section fA. 21 for the proof). 

Theorem 2. Given an X-TRIO^ formula (f>, there is a structure S = (IN + , j3, a) 
such that S,0 N 4> iff there exists a trace tt such that tt Nlt/(0) A (Al) A (A2). 

From translation schema 77 and Theorem [5] we can prove the following. 

Theorem 3. The satisfiability problem for X-TRIO^ as restricted in this sec- 
tion is decidable and F 'SPACE- complete. 

3 Exploiting X-TRIO to analyze Stateflow diagrams 

In this section we present an application of X-TRIOj^ to provide the Stateflow 
notation with a formal semantics that includes a precise, metric notion of time; 
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this allows us to introduce metric constraints in the notation and to formally 
analyze real-time requirements and properties. We exploit the X-TRIOj^-based 
semantics of Stateflow to perform automated formal verification of some prop- 
erties of interest of the controller of a Flexible Manufacturing System (FMS), 
which is used in the section as an example to illustrate the Stateflow notation. 

3.1 Stateflow diagrams and their semantics in X-TRIOj^ 

The Stateflow notation is a variation of Statecharts; it describes finite state 
machines performing discrete transitions between states in a simple and intuitive 
way. In a nutshell, a Stateflow diagram is composed of: (i) a finite set of typed 
variables V partitioned into input (V/), output (Vo), and local (Vl) variables; 
input and output events are represented, respectively, through Boolean variables 
of Vi and Vo ; (ii) a finite set of states S which can be associated with entry, exit 
and during actions, which are executed, respectively, when the state is entered, 
exited, or throughout the permanence of the system in the state; (iii) a finite set 
of transitions, H, that may include guards (i.e., constraints) on the variables of 

V and actions. An action is the assignment of the value of an expression over 
constants and variables of V to a non-input variable. We assume all variables in 

V to take values in a finite domain, which we represent by Dy. 

We illustrate the notation through the example of a robotic cell composed of 
a robot arm that loads and unloads various parts on two machines, M\ and Mi- 
The cell is served by a conveyor belt, which provides pallets to be processed. 
There are two types of pallets, A and B, which are precessed, respectively, by 
machine Mi and by machine M^. After processing, the finished parts are dis- 
charged from the cell by means of the conveyor out belt. Figure Q] shows a 
Stateflow diagram describing the behavior of the robot arm. 

At any time, the robot arm can switch from automatic to manual mode or 
from manual to automatic mode upon a suitable command from the operator. 
For example, in the graph of FigureQ] the transition from state GoToPO to state 
OKPO is enabled when a photocell signals that the robot arm has reached the 
central position PO, setting the input variable FPO. 

|19j presents the complete, informal, specification of Stateflow diagrams, but 
it does not provide a precise definition of their semantics. Our one is based on 
the STATEMATE semantics of Statecharts [H]. 

Stateflow semantics hinges on the concept of run, which represents the reac- 
tion of the system to a sequence of input events. A run is a sequence of configura- 
tions; each configuration (s, v) pairs the current state s € S with an evaluation 
function v : V — > Dy representing the current values of the variables. The 
configuration changes only when an enabled transition is executed. An enabled 
transition must be executed, which entails that a Stateflow model must be inter- 
nally deterministic. Input events, however, occur in a nondctcrministic manner, 
so the model overall is nondctcrministic. 

The semantics of time evolution in Statecharts/Stateflow diagrams has proven 
difficult to pin down precisely, and different solutions have been proposed in the 
literature (e.g., pQ). Our model is of the so-called run-to- completion variety. 
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Fig. 1. Stateflow diagram of the controller of the robotic arm 



In this model the system reacts to the input events by performing a sequence 
of reactions (macro-steps). Within every macro-step, a maximal set of enabled 
transitions (micro-steps) is selected and executed based on the events generated 
in the previous macro-step. Micro-steps are executed infinitely fast, with time 
advancing only at macro-step boundaries, when the system reaches a stable con- 
figuration, i.e., in which no transition is enabled. In other words, micro-steps 
take zero time to execute; when no transition is enabled, time advances and the 
configuration changes when a new input event is received from the environment. 
As for STATEMATE, components sense input events and data only at the be- 
ginning of macro-steps and communicate output events and data only at their 
end. In the semantics outlined above each run identifies a sequence of time in- 
stants {U}i£K, one for each macro-step, hence the time domain is discrete. This 
is consistent with the underlying physical model of our test case, as the PLCs 
on which FMS control solutions are built are governed by discrete clocks. In a 
sense, each macro-step corresponds to a clock cycle of the modeled PLC. 
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For example, if, at the beginning of a macro-step, the robot arm of Figure Q] 
is in position PO (i.e., in state OKPO) and a pallet of type A is to be delivered 
to machine Mi, the transition between states OKPO and GoToCInl is enabled, 
so the robot arm executes a micro-step and the output variable ToCIn is set 
to true. At this point, the whole system has reached a stable state, since the 
robot arm must wait for machine Mi to terminate processing the pallet. The 
termination event is modeled by setting the input variable FCIn to true. 

We now formalize the semantics of Stateflow diagrams through X-TRIO^ 
formulae. As the domain Dy of Stateflow variables is assumed to be finite, it 
can be represented through a set of propositional letters: given a variable v S V 
and a value k G Dy when Vk is true this represents that the value of v is k. 
Similarly for the state space S. For readability, we write v = k instead of Vk- 

For each Stateflow transition Hi : Si g ^ ' s\ from state s$ state s\ with guard 
gi and action a,i, we introduce the following formula: 

AlwF((7 4 As = Sl )-> X ns (s = s'j) A a, A A a e „ s ,J (3) 

where 7, is an X-TRIOj^ formula encoding guard gi, and a,, a eXs . and a en , 

are X-TRIOjj^ formulae encoding, respectively, the transition action a^, and the 
entry and exit actions of states Si and . Formula formalizes the execution of 
a micro-step: it asserts that if the current state is Si and the transition condition 
7i holds in the current configuration, then in the next micro-step the active state 
must be and the entry actions of and the exit actions of are executed. 
Thus, operator X ns replaces a zero-time transition. If no transition is enabled, 
the configuration does not change, which is captured by the following formula: 

AlwF(A!=i -i(t< As = s,)4 NOCHANGE^j (4) 

where subformula NOCHANGE, which is not further detailed for space reasons, 
asserts that in the next micro-step the current state and the values of all output 
and local variables do not change. 

The time advancement of our semantics is modeled through operator X st : 
every time the system reaches a stable state (where no transition is enabled), 
the time advances to the next standard number. This is captured by the formula: 

(\m \ 

AlwF I /\ -,( 7i A s = Si ) <-» X st (T) I . (5) 

The complete definition of the behavior of the transitions of the Stateflow 
diagram is given by (Aifi®i) A © A ©. 

Finally, we introduce a formula asserting that input variables Vj change val- 
ues only at the beginning of a macro-step, i.e. when the system is in a standard 
instant of time. In other words, if the next time instant is non-standard, then the 
values of the input variables must be the same as those in the current instant: 
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AlwF(x ns (T) -> (A veVl;XeDv v = x^ X ns (v = x)j) (6) 

The formula SYS encoding the behavior of the overall system is given by 
the conjunction of formulae A'=i®i, (UK]), plus others not shown for brevity. 
Formula SYS characterizes precisely the runs of the corresponding Stateflow 
diagram, that is, it holds exactly for the runs modeled through the diagram. 

3.2 System properties verification and experimental results 

The formalization introduced in Section T3.1l has been implemented in the Zot tool 
to perform the verification of some typical real-time properties of the example 
FMS system. Zot [23] is a bounded satisfiability checker which supports the 
verification of PLTLB models. It solves satisfiability (and validity) problems for 
PLTLB formulae by exploiting Satisfiability Modulo Theories (SMT) [3J solvers. 
Through Zot one can check whether stated properties hold for the system being 
analyzed (or parts thereof) or not; if a property does not hold, Zot produces a 
counterexample that violates it. 

As a first example, we check that the modeled system does not have Zeno 
runs, which would make it unrealizable. The system shows a Zeno behavior if, 
from a certain point on, "real" time does not advance, i.e., no macro-steps are 
performed. The presence of Zeno runs is formalized as follows: 

SomF(AlwF(X ns (T))) (7) 

Formula ([7]) states that, from a certain instant on, the clock does not tick 
any more, i.e. the trace presents an infinite sequence of non-standard instants. 
We checked through the Zot tool that formula SYS A (J7J) is unsatisfiable, hence 
no runs of the system show property (O, and the system is devoid of Zeno runs. 

Through X-TRIO^ it is possible to formalize different variations for the 
intuitive notion of "until" , for example one that takes into account only the last 
micro-step of each macro-step, i.e. when the system reaches a "stable state". 
Informally, Until sta bio(0, VO holds if there is a future macro-step such that in its 
last micro-step tp holds, and <fi holds in the last micro-step of all macro-steps 
before that. The Until sta bie operator is useful to check properties that predicate 
only over the "real" time. It is defined by the following X-TRIO]^ formula: 

Until stablc (0, = Until(X st (T) -»• <j>, X st (T) A ijj) (8) 

where the last micro-step is identified by the fact that its next instant is standard. 
Another possible variant of "until" , for example, is one that predicates only over 
the first instants of macro-steps, i.e., standard instants. It is defined by the 
following X-TRIO]^ formula which exploits predicate NowST of Section 12.21 



Until st (0, ip) = f Until(NowST 0, NowST A ip) 



(9) 
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Formula Time (sec) Memory (Mb) Result 

Zeno Paths detection © 85 264 No 

Deadlock detection {TSJ) 17991 268 No 

Workpiece, L=15 CLII 407 260 No 

Workpiece, L=20 JTl]) 89 272 Yes 

Table 3. Test results 



We use operator Until sta bio to check for the existence of deadlocks in a system 
of synchronously evolving modules. Our notion of deadlock is defined over macro- 
steps only, since we consider micro-steps to be transient states that are non- 
observable outside of a module. Then, we say that the system is in deadlock if 
all of its components are in a deadlock state. If E is the set of components of the 
system, where each e 6 E is described through a Stateflow diagram with state 
space ^e, the following X-TRIO]^ formula captures this notion of deadlock: : 

/\ \/ SomF 

stable 

(AlwF stable (s e = as)) (10) 

e6_E igS e 

where SomF sta bie(0) and AlwF sta bic(0) are, as usual, abbreviations for 
Until stab i e (T, <t>) and ->SomF stab i o (^0), respectively. 

The last property we present in this paper is a real-time property that states 
whether it is possible to produce and deliver one processed workpiece of any 
kind within L time units from the system startup. The property is captured by 
the following formula, with the obvious meaning of the WithinF sta bie operator: 

WithinF stablo (( Si i ob = GoToCol) V (s Rob = GoToCo2),L) (11) 

The formula checks whether, within a time L from the system startup, one 
of the states GoToCol or GoToCo2 of Figure Q] is reachable. The Stateflow 
diagram reaches state GoToCol if a workpiece of any type has been produced 
by machine Mi, similarly for the other. By testing various values for L, we found 
that the minimum L for which formula (jlip holds is 16. 

Performance results obtained during the verification of properties above are 
shown in Table [3] Verifications was performed with a bound of 70 time units, 
which is a user-defined parameter that corresponds to the maximal length of 
runs analyzed by Zot. The table shows the time spent to check the property, the 
memory occupation and the result, i.e. whether the property holds or notjj 

Considering that the sole Stateflow diagram of the controller of the robot arm 
of Figured] has 12- 2 18 possible configurations, i.e., \S\- 2 ]>Dv ^ the first verification 
experiments are encouraging, and show the feasibility of the approach. In fact, we 
were able to detect deadlocks in an early specification of the FMS that stemmed 
from an incorrect communication protocol between the robot and machine M\. 

1 All tests have been performed on a 3.3GHz QuadCore PC with Windows 7 and 4GB 
of RAM. The verification engine used was the SMT-based Zot plugin of [3]; the solver 
was z3 3.2 (http://research.microsoft.com/en-us/um/redmond/projects/z3/). 
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4 Conclusions and Future Work 

We introduced a novel approach to the modeling and analysis of systems that 
evolve through a sequence of micro- and macro-steps occurring at different time 
scales, such that the duration of the micro-steps is negligible with respect to 
that of the macro-steps. In some sense, we can position our approach in between 
the "time granularity approach" [7] where different but positive standard and 
comparable time scales are adopted at different levels of abstraction and the 
"zero-time transition" approach [11], [2T] which instead "collapses" the duration 
of some action to a full zero. By introducing the notion of infinitesimal duration 
for micro-steps and by borrowing the elegant notation of NSA to formalize them, 
we overtake the limitations of the two other cases and generalize them: on the 
one side, unlike traditional mappings of different but positive standard time 
granularities, infinitesimal steps may accumulate in unbounded or unpredictable 
way, thus allowing for the analysis of usually pathological cases such as zeno 
behaviors; on the other side by imposing that the effect of an event strictly follows 
in time its cause, we are closer to the traditional view of dynamical system theory, 
and we can reason explicitly about possible synchronization between different 
components even at the level of micro-steps. 

We pursued our approach through the novel language X-TRIO, which in- 
cludes both metric operators on continuous time and the next-time operator to 
refer to the next discrete state in the computation. Under simple and realistic 
conditions X-TRIO can be coded into an equivalent PLTLB formulation, which 
makes it amenable to automatic verification. 

To demonstrate the usefulness of our approach we developed a case study 
where we applied X-TRIO to formalize the semantics of Stateflow, to specify 
through it a simple robotic cell, and to prove a few basic properties thereof. 

We emphasize the generality and flexibility of our approach. Although in 
this paper we focused essentially on its application to formalizing (one particular 
semantics of) the Stateflow notation, it should be already apparent that the same 
path could be followed for different operational and descriptive notations and for 
their semantic variations. For instance, notice how we came up in a flexible way 
with simple formalizations of different interpretations of the Until operator; still 
others could be easily devised according to the needs of different applications. 

Such a generality will be pursued along several dimensions. The present choice 
of just one time unit for micro- and one for macro-steps is good enough for 
Stateflow and FMS but is not a necessary restriction: different, fixed or even 
variable durations for micro-steps could be used to model different components 
of a global system and their synchronization at the micro-level; macro-steps too 
could have different durations. On the other hand, non-zero infinitesimal du- 
rations for micro-steps are particularly well-suited to investigate -the risk of- 
dangerous behaviors such as zenoness; however, once such a pathological prop- 
erty has been excluded it could be useful to turn back to a finite metric of 
micro-steps, perhaps exploiting different time granularities: something similar 
occurs during hardware design where, in various contexts, the designer analyses 
the risk of critical races and the duration of precise finite sequences of micro- 
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steps, or "collapses" all such sequences in an "abstract zero-time". Our approach 
allows the designer to manage all such "phases" in a uniform an general way. 

Another dimension along which it is worth exploiting the generality of our 
approach is the issue of decidability. The trade-off between expressive power and 
decidability (efficiency) offers many opportunities. Other, more general, versions 
of X-TRIO possibly supported by decision algorithms different from, or comple- 
mentary to, the translation into PLTLB are under investigation. 

Acknowledgments. We would like to thank our colleagues at CNR-ITIA, 
Emanuele Carpanzano and Mauro Mazzolini, for providing expertise, insight 
and examples of design of FMS. 
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A Theorem proofs 
A. 1 Proof of Theorem [Q 

Proof. To demonstrate theorem [T] we reduce the halting problem of a 2-counter 
machine to the satisfiability problem of X-TRIO]^ formulae. To achieve this, we 
define a set of X-TRIOjj^ formulae that formalize the increment and decrement 
of the 2 counters. 

More precisely, we associate one counter with the sequence of even standard 
numbers, and the other with the sequence of odd standard numbers, in the 
following way: 

— we associate two different propositional letters, E and O, with each standard 
instant of a s.t. when the current standard instant is an even (resp. odd) in- 
teger number then only E (resp. O) holds. They do not hold in non-standard 
instants. These constraints are represented by the following X-TRIO^ for- 
mulae (we show the case of even instants): 

E =*> X st (0) V X ns (Until(^(9 A -X ns (T) A -*0 A ->E)) 

£<^Dist(0,l) 

Similarly for O. 

— Given two consecutive standard instants o~j and Oi in a (i.e., such that where 
(Tj = o~j + 1), there is a finite (possibly empty) sequence of non-standard 
instants between them since a is discrete. This finite sequence has length 
\i — (j + 1)|. We indicate this subsequence of instants (Tuj) (notice that we 
include in cu,,-) standard number o~j, but not standard number o~i). We in- 
troduce suitable X-TRIO^ formulae to constrain sequence truji to be parti- 
tioned into two further subsequences in which, in each instant, propositional 
letter A (resp. B) holds (in addition, A and B are mutually exclusive). We 
use letters A and B them to "mark" each instant in au %\ as in the example 
of Figure [D The sequence of Bs ends in the last non-standard instant of 
<J[j.i)- The following X-TRIO^ formulae (which exploit the fact that when 
Until(</), tp) holds, <j) must hold up to the instant before tp holds) formalize 
the behavior above: 

A^Until(AAX ns (T), J B) 

B^Until(B,-X ns (T)) (12) 
A o -iB 



O E O E 

AAABBBBBAABBAB 

I I I I I I I I I I I I I 

t t+e t+2e ... t+1 t+2 t+3 



Fig. 2. Part of trace representing counters 
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— We use the sequence of A and B to represent the two counters: the number 
of A's starting from standard numbers marked with E (resp. O) represent 
the first (resp. second) counter. Then, we can encode the three operations 
increase / decrease / check if the counter is 0, by manipulating the length of 
the sequence of As in the following way (we show only the formulae of the 
counter of the even instants, it is similar for the other one): 

1. The counter increases its current value if the sequence of A's that starts 
at next even standard instant is such that the last A of that sequence 
dists 2 + e from the last A of the current sequence of A's. We can encode 
this condition through the following X-TRIOjj^ formula: 

E -> (A -> Until(A, B A Dist(A A X ns (B) , 2))) 
A 

(B^Bist(AAX ns (B),l)) 

2. The counter decreases its current value if, at the next even standard 
instant, the length of the sequence of A's is shorter than the current one 
of exactly one A. We can encode this constraint through the following 
X-TRIO]n formula: 

E -> {A A X ns (A) -> Until(A, A A X ns (A A X ns (B)) A Dist(i4 A X ns (B) , 2))) 
A 

(A A X ns (B) -> Dist(B,2)) 

The first formula describes the case where the current value of the 
counter is strictly greater than 1. The second formula instead describes 
the case where the current value of the counter is exactly 1. 

3. The counter does not change its value if, at the next even standard 
instant, the length of the sequence of A's is equal to the current one. We 
can encode this condition with following X-TRIOj^ formula: 

E -> (A -> Until(A, A A X ns (B) A Dist(A A X ns (B) , 2)) 
A 

(B ->• Dist(B,2)) 

The first formula describes the case where the current value of the 
counter is strictly greater than 0. The second formula instead describes 
the case where the current value of the counter is exactly 0. 

4. The counter is zero when the sequence of ^4's is empty. In the case of 
the counter associated with even standard numbers we can encode this 
check with the following X-TRIO|n formula: 

E A B 

— Finally, at the initial instant of the sequence a, which is an even number, 
E holds and the corresponding counter value is 0. This is modeled by the 
following X-TRIO]n formula evaluated at instant 0: 



E AB 



(13) 
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X-TRIOSn formulae (|XT ]l -([I5 | formalize the core mechanisms of a 2-counter 
machine that can decide to increase/decrease or leave unchanged the values of 
the counters on the basis of the set of atomic propositions that are true in 
a given instant of time, which are used to represent the current state of the 
machine. From this, the halting of the formalized machine can be expressed as a 
simple reachability of a final state. Hence, we can conclude that the satisfiability 
problem of X-TRIO^ is undecidable. ■ 



A.2 Proof of Theorem [2] 

In order to prove Theorem[21 we first need to introduce two intermediate results. 

Lemma 1. Given an X-TRIO^ formula (p in which all subformulae have the 
form ip A SomF(X st (T) VX ns (T)), and given two structures Si = a), 
5*2 = (IN+7 /?2, cr) (i.e., which have the same history a) such that, for all t G IN+ 
for which there is i 6 IN such that t < o~i, it is = ^{t), then S%,0 |= (p iff 

s 2 ,0M- 

Proof. We show a stronger result, from which Lemma [1] descends as corollary. 
More precisely, we show that, given any t s M+, Si, t |= <p iff S2, t \= (p. First of 
all, we remark that, if for each t € IN+ there is a Cj such that t < ai, then for all 
t £ 1N+ it is fiiit) = Pi{t), hence the desired result. In addition, notice that, in 
this case, condition SomF(X st (T) VX ns (T)) is true for all t G IN+, so the value 
of <f> does not depend on it. 

In the rest of the proof we consider the case in which there are instants t such 
that, for all i, 0{ < t. The set of such instants can be shown to have a minimum, 
which we indicate with t, such that st(t). Then, history a accumulates at t, and 
we separate two cases: t <t and t > t. In the case t > t, SomF(X st (T) V X ns (T)) 
is false, hence for all cj> both Si,t ^= <j> and S2,t ^= <t>. Then, we only need to 
consider the case t < t. The rest of the proof is by induction on the structure of 
(f>: consider a sub formula tp of <p. 

If ip = p, by hypothesis /3i(t) = /^(i); hence the result. 

The cases ip = and tp = tpi A ^2 are trivial. 

If %/) = Dist(C, 1), then Si,t (= ip iff S%,t + 1 \= (, hence, by inductive 
hypothesis, iff S2,t + 1 |= and iff S2,t \= tp. Similarly for Dist(C, — 1) and 
Dist(Ce). 

If ip — Until (-01, 1P2), S\,t \= ip iff there is t' > t such that Si, t' (= %p2, and for 
all t < t" < t' it is Si, t \= ip%; by inductive hypothesis this occurs iff S2, t' \= 1P2, 
and for all t < t" < t' it is S2,t \= ipx, i.e., iff S2,t |= ip. The case Since(V>i, 1P2) 
is similar. 

If ip = X st (C), then Si,t \= ip iff there is i £ IN such that st(ai+i), Ui <t < 
cr i+ i and Si, (Ti+i |= C; by inductive hypothesis this holds iff S2, 0^+1 |= Cj hence 
the result. Similarly for X ns (£). ■ 

As a consequence of Lemma [U and also of the next result, given the re- 
strictions introduced in Section [^1 in order to determine whether an X-TRIO^ 
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formula is satisfiable we need only focus on the sequence cr, and we can disregard 
the instants following an accumulation point, if any. 

We introduce the following further intermediate result, in which we show 
that, in each interval (<7j, <Xi+i) such that st(<7j_|_i), the subformulae of have 
the same value in all t € [<Ji, 0^+1). 

Lemma 2. Given an X-TRIO^ formula (f> and a structure S = (M_|_,/5, a), 
if stijJi+i), then for any two instants j,k G IN+ such that ns(J), ns{k), and 
o-i < j <k < a i+1 , S,j\=(piffS,k\= (/>. 

Proof. First of all, notice that, by constraint IC11 o~i > — 1, k > o~i actually 
implies that ns(fc); the only case in which it can be st(j) is when j = oi and 
st(o-i). 

The proof proceeds by induction on the structure of <fi. 

If 4> = p e AP, then p e (3(j) iff p e f3{k), as j3(j) = /3(k) by definition of a, 
hence the result. 

The cases 4> = -itf> and <f> = 4>\ A <f>i are trivial. 

If <j) = Dist(?/>, 1), then both S,j ¥■ cf> and S, k ¥■ <fi, as Dist(-0, 1) is by conven- 
tion false in non-standard instants. Similarly when <f> = Dist^, — 1). 

If <j> = Dist(V>, e), then S, j N iff S, j + e N ijj and S, k N (f> iff S, k + e N V- 
Since (7i<j + e<fc + e< (Tj+i, ns(j + e) and ns(fc + e), then by inductive 
hypothesis S, j + e N -0 iff 5, fc + e N V', hence the result. 

If = Until^i, ^2), we have that S, k \= <fi iff there is a £ > fc s.t. S, t N ^2, 
and for all A; < t' < t it is 5, t' N V^. By inductive hypothesis, for all t', t" s.t. 
o~i < j < t" < k < t 1 < (Ti + i where ns(j), we have that S, t' N tpi iff 5, i" N 
Hence, S, t' N ^i holds for all k < t' < t iff also for all j <t" <t it is S, t" \= ip v 
Then, S, k N (j> iff S, j N 0. The case (j) = Since(-0i, 1P2) is similar. 

If <fi — X st ( - 0), S,j 1= iff 5, CTi+i N ^5 as st(ai+i). We have also S 1 , k \= <f> iff 
S*, o~i + i N V- 1 , hence the result. 

If 4> — X ns (^), both S,j ¥ <fi and S,k^ </>, as si((7i+i). 



